add jwt token auth support (#190)

RELEASE.md

@@ -1,7 +1 @@
-- Add 'all' token scope with 2 values, 'core' and 'admin'.  'Core' is all scopes except for admin and 'admin' includes admin.  Use as `New-VenafiSession -Scope @{'all'='core'}`.  Not suggested for production environments
-- Add `-SkipCertificateCheck` to `New-VenafiSession` and `New-TppToken` to bypass certificate checking, useful in pre-production environments, connecting via IP, etc.  If you aren't creating a new session, but providing a token directly to a function, the same functionality can be found by setting an environment variable `$env:VENAFIPS_SKIP_CERT_CHECK=1`.  If vaulting your token, this value will also be vaulted in the metadata making it very easy to use `New-VenafiSession -VaultRefreshAccessToken $name` and connect to pre-prod environments with no certificate checking
-- `New-VenafiSession -VaultMetadata` is now deprecated and metadata will be vaulted by default
-- Token scope is now vaulted in metadata and added to $VenafiSession when using `-VaultAccessTokenName` or `-VaultRefreshTokenName` of `New-VenafiSession`
-- Update `Write-VerboseWithSecret` to support secrets in delimited json
-- Fix TppObject ParentPath error when it contains certain characters, [#186](https://github.com/Venafi/VenafiPS/issues/186)
-- Fix object does not exist error with `Move-TppObject` in a try/catch, [#185](https://github.com/Venafi/VenafiPS/issues/185)
+- Add support for JWT token authentication in `New-VenafiSession` and `New-TppToken`

VenafiPS/Public/New-TppToken.ps1

@@ -30,6 +30,11 @@ function New-TppToken {
     .PARAMETER State
     A session state, redirect URL, or random string to prevent Cross-Site Request Forgery (CSRF) attacks
 
+    .PARAMETER Jwt
+    JSON web token.
+    Available in TPP v22.4 and later.
+    Ensure jwt mapping has been configured in VCC, Access Management->JWT Mappings.
+
     .PARAMETER Certificate
     Certificate used to request API token.  Certificate authentication must be configured for remote web sdk clients, https://docs.venafi.com/Docs/current/TopNav/Content/CA/t-CA-ConfiguringInTPPandIIS-tpp.php.
 
@@ -84,6 +89,7 @@ function New-TppToken {
         [Parameter(ParameterSetName = 'OAuth', Mandatory)]
         [Parameter(ParameterSetName = 'Integrated', Mandatory)]
         [Parameter(ParameterSetName = 'Certificate', Mandatory)]
+        [Parameter(ParameterSetName = 'Jwt', Mandatory)]
         [Parameter(ParameterSetName = 'RefreshToken', Mandatory)]
         [ValidateScript( {
                 if ( $_ -match '^(https?:\/\/)?(((?!-))(xn--|_{1,1})?[a-z0-9-]{0,61}[a-z0-9]{1,1}\.)*(xn--)?([a-z0-9][a-z0-9\-]{0,60}|[a-z0-9-]{1,30}\.[a-z]{2,})$' ) {
@@ -101,11 +107,13 @@ function New-TppToken {
         [Parameter(ParameterSetName = 'Integrated', Mandatory)]
         [Parameter(ParameterSetName = 'Certificate', Mandatory)]
         [Parameter(ParameterSetName = 'RefreshToken', Mandatory)]
+        [Parameter(ParameterSetName = 'Jwt', Mandatory)]
         [string] $ClientId,
 
         [Parameter(ParameterSetName = 'OAuth', Mandatory)]
         [Parameter(ParameterSetName = 'Integrated', Mandatory)]
         [Parameter(ParameterSetName = 'Certificate', Mandatory)]
+        [Parameter(ParameterSetName = 'Jwt', Mandatory)]
         [hashtable] $Scope,
 
         [Parameter(ParameterSetName = 'OAuth', Mandatory)]
@@ -115,6 +123,9 @@ function New-TppToken {
         [Parameter(ParameterSetName = 'OAuth')]
         [string] $State,
 
+        [Parameter(ParameterSetName = 'Jwt', Mandatory)]
+        [string] $Jwt,
+
         [Parameter(ParameterSetName = 'Certificate', Mandatory)]
         [X509Certificate] $Certificate,
 
@@ -141,9 +152,9 @@ function New-TppToken {
     )
 
     $params = @{
-        Method  = 'Post'
-        UriRoot = 'vedauth'
-        Body    = @{}
+        Method               = 'Post'
+        UriRoot              = 'vedauth'
+        Body                 = @{}
         SkipCertificateCheck = $SkipCertificateCheck
     }
 
@@ -181,9 +192,11 @@ function New-TppToken {
 
             $scopeString = if ( $Scope.all -eq 'core' ) {
                 'agent:delete;certificate:approve,delete,discover,manage,revoke;configuration:delete,manage;restricted:delete,manage;security:delete,manage;ssh:approve,delete,discover,manage;statistics;codesign:delete,manage;codesignclient'
-            } elseif ($Scope.all -eq 'admin' ) {
+            }
+            elseif ($Scope.all -eq 'admin' ) {
                 'admin:delete,viewlogs,recyclebin;agent:delete;certificate:delete,discover,manage,revoke;configuration:delete,manage;restricted:delete,manage;security:delete,manage;ssh:approve,delete,discover,manage;statistics;codesign:approve,admin,delete,manage;codesignclient'
-            } else {
+            }
+            else {
                 @(
                     $scope.GetEnumerator() | ForEach-Object {
                         if ($_.Value) {
@@ -217,6 +230,10 @@ function New-TppToken {
                     $params.Certificate = $Certificate
                 }
 
+                'Jwt' {
+                    $params.Body.jwt = $Jwt
+                }
+
                 Default {
                     throw ('Unknown parameter set {0}' -f $PSCmdlet.ParameterSetName)
                 }

VenafiPS/Public/New-VenafiSession.ps1

@@ -50,6 +50,11 @@ function New-VenafiSession {
     First time use requires it to be provided with credentials to retrieve the refresh token and populate the vault.
     With subsequent uses, it can be provided standalone and the refresh token will be retrieved without the need for credentials.
 
+    .PARAMETER Jwt
+    JSON web token.
+    Available in TPP v22.4 and later.
+    Ensure jwt mapping has been configured in VCC, Access Management->JWT Mappings.
+
     .PARAMETER Certificate
     Certificate for token-based authentication
 
@@ -147,6 +152,9 @@ function New-VenafiSession {
     .LINK
     https://docs.venafi.com/Docs/current/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-AuthorizeCertificate.php
 
+    .LINK
+    https://docs.venafi.com/Docs/current/TopNav/Content/SDK/AuthSDK/r-SDKa-POST-AuthorizeJwt.php
+
     .LINK
     https://github.com/PowerShell/SecretManagement
 
@@ -163,6 +171,7 @@ function New-VenafiSession {
         [Parameter(Mandatory, ParameterSetName = 'TokenOAuth')]
         [Parameter(Mandatory, ParameterSetName = 'TokenIntegrated')]
         [Parameter(Mandatory, ParameterSetName = 'TokenCertificate')]
+        [Parameter(Mandatory, ParameterSetName = 'TokenJwt')]
         [Parameter(Mandatory, ParameterSetName = 'AccessToken')]
         [Parameter(Mandatory, ParameterSetName = 'RefreshToken')]
         [Parameter(ParameterSetName = 'VaultAccessToken')]
@@ -186,13 +195,15 @@ function New-VenafiSession {
         [Parameter(Mandatory, ParameterSetName = 'TokenIntegrated')]
         [Parameter(Mandatory, ParameterSetName = 'TokenOAuth')]
         [Parameter(Mandatory, ParameterSetName = 'TokenCertificate')]
+        [Parameter(Mandatory, ParameterSetName = 'TokenJwt')]
         [Parameter(ParameterSetName = 'RefreshToken', Mandatory)]
         [Parameter(ParameterSetName = 'VaultRefreshToken')]
         [string] $ClientId,
 
         [Parameter(Mandatory, ParameterSetName = 'TokenIntegrated')]
         [Parameter(Mandatory, ParameterSetName = 'TokenOAuth')]
         [Parameter(Mandatory, ParameterSetName = 'TokenCertificate')]
+        [Parameter(Mandatory, ParameterSetName = 'TokenJwt')]
         [Parameter(ParameterSetName = 'VaultAccessToken')]
         [Parameter(ParameterSetName = 'VaultRefreshToken')]
         [hashtable] $Scope,
@@ -207,6 +218,9 @@ function New-VenafiSession {
         [Parameter(Mandatory, ParameterSetName = 'RefreshToken')]
         [PSCredential] $RefreshToken,
 
+        [Parameter(Mandatory, ParameterSetName = 'TokenJwt')]
+        [string] $Jwt,
+
         [Parameter(Mandatory, ParameterSetName = 'TokenCertificate')]
         [X509Certificate] $Certificate,
 
@@ -328,7 +342,7 @@ function New-VenafiSession {
 
         }
 
-        { $_ -in 'TokenOAuth', 'TokenIntegrated', 'TokenCertificate' } {
+        { $_ -in 'TokenOAuth', 'TokenIntegrated', 'TokenCertificate', 'TokenJwt' } {
             $params = @{
                 AuthServer           = $authServerUrl
                 ClientId             = $ClientId
@@ -344,6 +358,10 @@ function New-VenafiSession {
                 $params.Certificate = $Certificate
             }
 
+            if ( $PSBoundParameters.ContainsKey('Jwt') ) {
+                $params.Jwt = $Jwt
+            }
+
             if ($State) {
                 $params.State = $State
             }